.TH "PKI \-\-VERIFY" 1 "2016-08-19" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \-\-verify \- Verify a certificate using a CA certificate
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-verify
.OP \-\-in file
.OP \-\-cacert file
.OP \-\-crl file
.OP \-\-debug level
.OP \-\-online
.YS
.
.SY pki\ \-\-verify
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-verify"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
verifies a certificate using an optional CA certificate.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
.TP
.BI "\-c, \-\-cacert " file
CA certificate to use for trustchain verification. If not given the certificate
is assumed to be self\-signed. May optionally be a path to a directory from
which CA certificates are loaded. Can be used multiple times.
.TP
.BI "\-l, \-\-crl " file
Local CRL to use for trustchain verification. May optionally be a path to a
directory from which CRLs are loaded. Can be used multiple times.
Implies \fB-o\fR.
.TP
.BI "\-o, \-\-online
Enable online CRL/OCSP revocation checking.
.
.SH "EXIT STATUS"
The exit status is 0 if the certificate was verified successfully, 1 if the
certificate is untrusted, 2 if the certificate's lifetimes are invalid, and 3
if the certificate was verified successfully but the online revocation check
indicated that it has been revoked.
.
.SH "SEE ALSO"
.
.BR pki (1)
